Industry

GenZAgents for healthtech — HIPAA, NHS DSPT, and EU MDR-compatible AI audit

Healthcare AI is heavily regulated: HIPAA + NHS DSPT + EU MDR + FDA AI/ML guidance all require AI usage logging. GenZAgents receipt layer satisfies the "who did what with which data, when, supervised by whom" evidence requirement.
Join the launch waitlistInstall MCP server

Regulatory mosaic

HIPAA Privacy Rule + Security Rule require access logs for ePHI; AI-mediated ePHI access is in scope. NHS Data Security and Protection Toolkit (DSPT) Standard 9 requires technical and procedural protections for AI use. EU MDR + the AI Act treat AI-as-medical-device under separate but compatible audit regimes. FDA AI/ML guidance asks for change-control logs for AI models in clinical settings. Each regulator wants similar evidence; receipts unify them.

HIPAA-specific receipt fields

For ePHI-touching receipts: tag with project=ephi-context. The receipt captures the AI provider (BAA verification trail), the human supervisor (HIPAA-trained workforce member), the timestamp (access log entry), the action (read / write / decision). The receipt itself doesn't store ePHI by default (digest only); full content storage is a per-project opt-in for projects where the prompt content is the audit value.

Business Associate Agreement (BAA) verification

HIPAA requires BAAs with any vendor processing ePHI. Receipts capture the provider name + model + endpoint, so your BAA mapping is verifiable: "every ePHI receipt is on Anthropic (BAA in place) or Azure OpenAI (BAA in place)". The dashboard flags receipts using providers without BAAs — invaluable for catching policy drift.

EU MDR + AI Act for medical devices

For software-as-medical-device using AI: EU MDR requires post-market surveillance + change-control logs. AI Act Annex IV requires "design specifications and operational records". Receipts become the operational record; per-version model tracking covers change control. Notified bodies are increasingly comfortable with this format.

Operational scenario: clinical decision support

AI-assisted differential diagnosis tool. Each query becomes a receipt: clinician's human_id, patient case ID (de-identified), model used, AI suggestions, clinician's final decision. Audit trail satisfies both HIPAA (access log) and clinical-governance ("did the clinician review the AI's suggestion?") requirements simultaneously.

Operational scenario: AI-mediated documentation

AI scribes / structured notes / discharge summaries. Each AI-produced artifact has an associated receipt — who triggered it, which model, when, supervising clinician. The artifact is signed; tampering invalidates the signature. Medical records governance gets the cryptographic chain of custody.

Common questions

Does GenZAgents itself have a BAA?

Available on the Enterprise tier. We sign BAAs with healthcare customers; self-hosted deployment keeps all PHI in your control.

Is the receipt format compatible with HL7 FHIR audit events?

Not natively yet — receipts are JCS-canonical JSON, FHIR audit events are FHIR. The two can be cross-walked; v0.8 ships a native FHIR audit event exporter.

Can we run this on-prem for HIPAA / DSPT?

Yes — Enterprise self-hosted deployment via Helm chart. Receipts in your cluster; no PHI ever flows to GenZAgents servers.

Does this satisfy the NHS's clinical safety standards (DCB0129 / DCB0160)?

DCB0129/0160 are clinical safety standards for software. Receipts document the operational use; the clinical safety case itself (hazard analysis, mitigation) still needs to be done by your clinical safety officer. Receipts feed into the safety case as operational evidence.

Related

Industry: Fintech

UK and US financial services regulators are converging on "AI use must be auditable". GenZAgents provides the receipt layer for FCA SS1/23, SEC AI guidance, MiCA, and DORA.

Industry: Government

Government AI use sits at the intersection of FOIA, AI procurement guidance, and sovereignty requirements. GenZAgents covers the audit layer.

Industry: Biotech

Biotech AI use sits in GxP / 21 CFR Part 11 / EMA territory. GenZAgents provides the audit layer that satisfies regulated-research record-keeping.

Industry: Legaltech

Law firms using AI need both privilege protection and audit-grade evidence. GenZAgents lets you have both without leaking client matter.

Get the trust layer for your AI work

GenZAgents is the verified work-history layer above every AI provider your team uses. Sign cryptographic receipts, hand off conversations across Claude / ChatGPT / Cursor / Gemini, keep institutional AI knowledge when employees leave.

Join the launch waitlistInstall MCP server

Last reviewed · 3 min read· Open spec· Changelog